I think that you are fine, as long as you describe the information security tasks you were responsible for and map them to one of the specific ISC2 domains of security. Without knowing exactly what you did, I would say that most of your experience would map to Access Control, Operations Security, and Telecomm and Network Security.

What Ketchup recommended is exactly what I did. While I only had 2 1/2 years of DIRECT security experience, I was able to show enough previous experience in access control, operations security, etc to pass ISC2 requirement. I basically broke down my resume into the tasks and associated domains and submitted it.

If you get audited, don't take it personally. they ISC2 audits are completely random. If you happen to fail the experience audit and pass the test you will be an Associate of ISC2 until you meet the experience requirements.